argus_parse.c questions
Nick Giordano
ngiordano at mitre.org
Wed Feb 23 17:37:44 EST 2005
Carter,
Sorry about that. I found my mistake. I was expecting -X to clear
configuration set by previous rarc files, not the command line
arguments. I was using ra -nnn -r <files> -X -F test_rarc and it was
clearing the data input value and ra was hanging. When I run ra -X -F
test_rarc -nnn -r <files> it works great.
There is no note about -X in the ra man page or -h output but the
argus man pages reads:
-X Clear existing argus configuration. This removes any
initialization done prior to encountering this flag. Allows you to
eliminate the effects of the /etc/argus.conf file, or any argus.conf
files that may have been loaded.
I should have noticed that, sorry for the trouble.
About the dabytes,sabytes idea, would you be open to a patch that
added this capability?
Nick
Carter Bullard wrote:
>Hey Nick,
> There are a lot of options for the various programs that are
>not documented. They are generally features that are a bit complex
>or don't work 100% of the time. The -x option works in conjunction
>with other options for ragator to act as a service availability
>monitor. Works most of the time, but under some constraints.
>Something for those that are inquisitive enough to dig into the
>source.
>
> So how does the -X option fail?
>
>Carter
>
>
>
>
>>From: Nick Giordano <ngiordano at mitre.org>
>>Date: Wed, 23 Feb 2005 13:54:30 -0600
>>To: Argus <argus-info at lists.andrew.cmu.edu>
>>Subject: [ARGUS] argus_parse.c questions
>>
>>I was looking through the argus_parse.c file that comes with my
>>argus-clients bundle and I had some questions about some of the
>>configuration options that don't seem to be used or don't work.
>>
>>This is the list of configuration options I get from ra -h:
>>
>>Ra Version 2.0.6.fixes.1
>>usage: ra
>>usage: ra [options] -S remoteServer [- filter-expression]
>>usage: ra [options] -r argusDataFile [- filter-expression]
>>
>>options: -a print record summaries on termination.
>> -A print application bytes.
>> -b dump packet-matching code.
>> -C treat the remote source as a Cisco Netflow
>>source.
>> -d <bytes> print number of <bytes> from user data
>>capture buffer.
>> format: num | s<num> | d<num> | s<num>:d<num>
>> -e <encode> convert user data using <encode> method.
>> Supported types are <Ascii> and <Encode64>.
>> -E <file> write records that are rejected by the
>>filter into <file>
>> -F <conffile> read configuration from <conffile>.
>> -h print help.
>> -n don't convert numbers to names.
>> -p <digits> print fractional time with <digits> precision.
>> -q quiet mode. don't print record outputs.
>> -r <file> read argus data <file>. '-' denotes stdin.
>> -R print out response data when availabile.
>> -s [-][+[#]]field specify fields to print.
>> fields: startime, lasttime, count, dur, avgdur,
>> saddr, daddr, proto, sport, dport, ipid,
>> stos, dtos, sttl, dttl, bytes, sbytes, dbytes,
>> pkts, spkts, dpkts, load, loss, rate,
>> srcid, ind, mac, dir, jitter, status, user,
>> win, trans, seq, vlan, mpls.
>> -S <host[:port]> specify remote argus <host> and optional
>>port number.
>> -t <timerange> specify <timerange> for reading records.
>> format: timeSpecification[-timeSpecification]
>> timeSpecification: [[[yyyy/]mm/]dd.]hh[:mm[:ss]]
>> [yyyy/]mm/dd
>> -%d{yMdhms}
>> -T <secs> attach to remote server for T seconds.
>> -u print time in Unix time format.
>> -w <file> write output to <file>. '-' denotes stdout.
>> -z print Argus TCP state changes.
>> -Z <s|d|b> print actual TCP flag values.<'s'rc | 'd'st
>>| 'b'oth>
>>
>>Here are the options that clearRaConfiguration alters in argus_parse.c:
>> aflag = 0;
>> Aflag = 0;
>> Argusdflag = 0;
>> bflag = 0;
>> Bflag = 0;
>> cflag = 0;
>> Cflag = 0;
>> dflag = 0;
>> Dflag = 0;
>> eflag = 0;
>> Eflag = 0;
>> estr = NULL;
>> fflag = 0;
>> Fflag = 0;
>> gflag = 0;
>> Gflag = 0;
>> hfield = 15;
>> Hflag = 0;
>> Hstr = NULL;
>> idflag = 0;
>> jflag = 0;
>> lflag = 0;
>> Lflag = 0;
>> mflag = 0;
>> Mflag = NULL;
>> Netflag = 0;
>> nflag = 0;
>> Nflag = 0;
>> Normflag = 0;
>> notNetflag = 0;
>> Oflag = 0;
>> pfield = 5;
>> pflag = 0;
>> Pflag = 0;
>> qflag = 0;
>> sflag = NULL;
>> tflag = 0;
>> uflag = 0;
>> Wflag = 0;
>>
>> Uflag = 6;
>> vflag = 0;
>> Vflag = 0;
>> iflag = 0;
>>
>> Iflag = 0;
>> Tflag = 0;
>> rflag = 0;
>> Rflag = 0;
>> Sflag = 0;
>> xflag = 0;
>> Xflag = 0;
>> XMLflag = 0;
>>
>> zflag = 0;
>> Zflag = 0;
>>
>>Some of these are set but never used and some of these are used but not
>>documented (at least anywhere I could find). -x for example isn't used
>>in ra but it has some use for ragator ( if (xflag && (srv->status ==
>>RA_SVCFAILED) ) and rahistogram but I couldn't find an explanation.
>>
>>The flag that I am most interested in is the -X flag, which in argus
>>seems to clear out any previous configuration. It looks like it is
>>supposed to do the same thing in ra but doesn't seem to work. The other
>>configuration question I have is if it would be possible to add sabytes
>>and dabytes to the options for -s flag instead of having the -A flag?
>>This would enable users to get output including both source and
>>destionation bytes as well as source and destination application bytes
>>at the same time.
>>
>>Thanks,
>>
>>Nick
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
More information about the argus
mailing list